TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

521

522

523

524

525

526

527

528

529

530

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

525

anonymous RPC function calls. Xfsmd for IRIX 6.5 through 6.5.16 are vulnerable. This signature detects when an

attacker send malicious pattern on RPC-TCP traffic.

Signature ID: 16237

SGI IRIX rpc.xfsmd uses weak RPC authentication UDP

Threat Level: Information

Industry ID: CVE-2002-0359 Bugtraq: 5072

Signature Description: XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon

(rpc.xfsmd) on SGI systems uses the default AUTH_UNIX authentication mechanism for its RPC service. This means

the rpc.xfsmd daemon trusts that the remote system calling its RPC interface has already authenticated the remote client

process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface,

it trusts remote RPC clients to be running with UID 0 [root] privileges). As a result, any remote system able to forge

UID 0 in its RPC call to vulnerable SGI rpc.xfsmd daemons can bypass the RPC authentication mechanism altogether.

A remote attacker can bypass the default AUTH_UNIX authentication mechanism for this RPC service, allowing

anonymous RPC function calls. Xfsmd for IRIX 6.5 through 6.5.16 are vulnerable. This signature detects when an

attacker send malicious pattern on RPC-UDP traffic.

Signature ID: 16238

Rusers RPC query via UDP

Threat Level: Information

Industry ID: CVE-1999-0626 Nessus: 11058,10228

Signature Description: This rule gets hit when a request is made via Remote Procedure Call (RPC) to list the logged in

users. The rusers RPC query is used to discover the users currently logged on to the host. A response to this request

provides valid user names that can connect to the host. This information can be used to attempt a brute force guessing

of associated passwords.

Signature ID: 16239

Sun Solstice Adminsuite Daemon sadmind Buffer Overflow TCP

Threat Level: Severe

Industry ID: CVE-1999-0977 Bugtraq: 866

Signature Description: The sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and

2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed

in /usr/sbin. It can be used to coordinate distributed system administration operations remotely. The sadmind daemon is

started automatically by the inetd daemon whenever a request to perform a system administration operation is received.

Under vulnerable versions of sadmind if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via

clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. Since sadmind is installed as root, it

is possible to execute arbitrary code with root privileges on a remote machine. This signature detects when an attacker

send malicious pattern on RPC-TCP traffic.

Signature ID: 16240

Sun Solstice AdminSuite Daemon sadmind TCP PING

Threat Level: Information

Signature Description: The sadmind RPC service is used by Sun Solstice AdminSuite applications to perform remote

distributed system administration tasks such as adding new users. The ping function associated with the sadmind

daemon will verify if it is active. An attacker can ping the sadmind daemon to verify if it is active. This signature

detects when an attacker send ping request on RPC-TCP traffic.